Skip to content

Commit dbc925f

Browse files
authored
auth: replace GITHUB_TOKEN with gh auth login (#46)
1 parent 339734d commit dbc925f

12 files changed

Lines changed: 42 additions & 30 deletions

File tree

.env.schema

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,6 @@ GEMINI_API_KEY=
3131
# @docs(https://opencode.ai)
3232
OPENCODE_ZEN_API_KEY=
3333

34-
# ── GitHub ───────────────────────────────────────────────────────────────────
35-
36-
# GitHub Personal Access Token (classic ghp_ or fine-grained github_pat_)
37-
# @required @type=string
38-
# @docs(https://github.com/settings/tokens)
39-
GITHUB_TOKEN=
40-
4134
# ── Slack ────────────────────────────────────────────────────────────────────
4235

4336
# Slack bot OAuth token

CONFIGURATION.md

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,9 +23,13 @@ Set at least one. Multiple can coexist — switch models at runtime via `/model`
2323

2424
### GitHub
2525

26-
| Variable | Description | How to get it |
27-
|----------|-------------|---------------|
28-
| `GITHUB_TOKEN` | GitHub Personal Access Token | [github.com/settings/tokens](https://github.com/settings/tokens) — create a fine-grained token scoped to the repos you want the agent to access. Minimum scopes: `contents: write`, `pull_requests: write`, `issues: write`. |
26+
The agent uses the `gh` CLI for PRs, checks, and issues. Authenticate with:
27+
28+
```bash
29+
sudo -u baudbot_agent gh auth login
30+
```
31+
32+
This uses the device code flow — it shows a code, you visit [github.com/login/device](https://github.com/login/device) on your browser. The token is stored in `~/.config/gh/hosts.yml` (not in `.env`).
2933

3034
The agent also uses an SSH key (`~/.ssh/id_ed25519`) for git push. Setup generates one automatically. Add the public key to **Settings → SSH keys** on the GitHub account the agent will push as.
3135

@@ -133,8 +137,7 @@ ANTHROPIC_API_KEY=sk-ant-...
133137
# GEMINI_API_KEY=...
134138
# OPENCODE_ZEN_API_KEY=...
135139

136-
# GitHub
137-
GITHUB_TOKEN=ghp_...
140+
# GitHub: authenticate with `sudo -u baudbot_agent gh auth login`
138141

139142
# Slack
140143
SLACK_BOT_TOKEN=xoxb-...

SECURITY.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ Slack @mention
117117
| Secret | Location | Perms | Purpose |
118118
|--------|----------|-------|---------|
119119
| LLM API key(s) | `~/.config/.env` | `600` | LLM API access (one or more of: `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GEMINI_API_KEY`, `OPENCODE_ZEN_API_KEY`) |
120-
| `GITHUB_TOKEN` | `~/.config/.env` | `600` | GitHub PAT (scoped to agent account) |
120+
| GitHub OAuth token | `~/.config/gh/hosts.yml` | `600` | `gh` CLI auth (via `gh auth login`) |
121121
| `AGENTMAIL_API_KEY` | `~/.config/.env` | `600` | AgentMail inbox access |
122122
| `KERNEL_API_KEY` | `~/.config/.env` | `600` | Kernel cloud browsers |
123123
| `BAUDBOT_SECRET` | `~/.config/.env` | `600` | Email authentication shared secret |

bin/ci/setup-arch.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,9 @@ sudo -u baudbot_admin bash -c 'cd ~/baudbot && git init -q && git config user.em
2020

2121
echo "=== Running install.sh ==="
2222
# Simulate interactive input: admin user, required secrets, skip optionals, decline launch
23-
printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nghp_testtoken\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
23+
# Prompts: admin user, Anthropic, OpenAI(skip), Gemini(skip), OpenCode(skip),
24+
# Slack bot, Slack app, Slack users, AgentMail(skip), email(skip), Sentry(skip), Kernel(skip), launch(n)
25+
printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
2426
| bash /home/baudbot_admin/baudbot/install.sh
2527

2628
echo "=== Verifying install ==="

bin/ci/setup-ubuntu.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,9 @@ sudo -u baudbot_admin bash -c 'cd ~/baudbot && git init -q && git config user.em
3131

3232
echo "=== Running install.sh ==="
3333
# Simulate interactive input: admin user, required secrets, skip optionals, decline launch
34-
printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nghp_testtoken\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
34+
# Prompts: admin user, Anthropic, OpenAI(skip), Gemini(skip), OpenCode(skip),
35+
# Slack bot, Slack app, Slack users, AgentMail(skip), email(skip), Sentry(skip), Kernel(skip), launch(n)
36+
printf 'baudbot_admin\nsk-ant-testkey\n\n\n\nxoxb-test\nxapp-test\nU01TEST\n\n\n\n\nn\n' \
3537
| bash /home/baudbot_admin/baudbot/install.sh
3638

3739
echo "=== Verifying install ==="

bin/config.sh

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -189,12 +189,6 @@ fi
189189

190190
echo ""
191191

192-
prompt_secret "GITHUB_TOKEN" \
193-
"GitHub personal access token" \
194-
"https://github.com/settings/tokens" \
195-
"required" \
196-
"ghp_|github_pat_"
197-
198192
prompt_secret "SLACK_BOT_TOKEN" \
199193
"Slack bot token" \
200194
"https://api.slack.com/apps → OAuth & Permissions" \
@@ -286,7 +280,6 @@ ordered_keys=(
286280
OPENAI_API_KEY
287281
GEMINI_API_KEY
288282
OPENCODE_ZEN_API_KEY
289-
GITHUB_TOKEN
290283
SLACK_BOT_TOKEN
291284
SLACK_APP_TOKEN
292285
SLACK_ALLOWED_USERS

bin/doctor.sh

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,16 @@ else
6868
warn "docker not found (optional, needed for container tasks)"
6969
fi
7070

71+
if command -v gh &>/dev/null; then
72+
if sudo -u baudbot_agent gh auth status &>/dev/null; then
73+
pass "gh cli authenticated"
74+
else
75+
warn "gh cli installed but not authenticated (run: sudo -u baudbot_agent gh auth login)"
76+
fi
77+
else
78+
fail "gh cli not found"
79+
fi
80+
7181
# ── Secrets ──────────────────────────────────────────────────────────────────
7282

7383
echo ""
@@ -117,7 +127,7 @@ if [ -f "$ENV_FILE" ]; then
117127
fi
118128

119129
# Check required keys
120-
for key in GITHUB_TOKEN SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
130+
for key in SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
121131
if grep -q "^${key}=.\+" "$ENV_FILE" 2>/dev/null; then
122132
pass "$key is set"
123133
else

bin/harden-permissions.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,10 @@ fix_file "$HOME/.pi/agent/settings.json" "600"
6363
# Secrets
6464
fix_file "$HOME/.config/.env" "600"
6565

66+
# GitHub CLI token (gh auth login stores token here)
67+
fix_dir "$HOME/.config/gh" "700"
68+
fix_file "$HOME/.config/gh/hosts.yml" "600"
69+
6670
# SSH (should already be correct from setup.sh)
6771
fix_dir "$HOME/.ssh" "700"
6872
find "$HOME/.ssh" -name 'id_*' -not -name '*.pub' -exec chmod 600 {} + 2>/dev/null

install.sh

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -128,14 +128,14 @@ install_prereqs_ubuntu() {
128128
done
129129
fi
130130
apt-get update -qq
131-
apt-get install -y -qq git curl tmux iptables docker.io sudo 2>&1 | tail -3
131+
apt-get install -y -qq git curl tmux iptables docker.io gh sudo 2>&1 | tail -3
132132
}
133133

134134
install_prereqs_arch() {
135-
pacman -Syu --noconfirm --needed git curl tmux iptables docker sudo 2>&1 | tail -5
135+
pacman -Syu --noconfirm --needed git curl tmux iptables docker github-cli sudo 2>&1 | tail -5
136136
}
137137

138-
info "Installing: git, curl, tmux, iptables, docker, sudo"
138+
info "Installing: git, curl, tmux, iptables, docker, gh, sudo"
139139
"install_prereqs_$DISTRO"
140140
info "Prerequisites installed"
141141

@@ -212,7 +212,7 @@ fi
212212
if [ "$HAS_LLM" = false ]; then
213213
MISSING+=" - LLM key (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, or OPENCODE_ZEN_API_KEY)\n"
214214
fi
215-
for key in GITHUB_TOKEN SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
215+
for key in SLACK_BOT_TOKEN SLACK_APP_TOKEN SLACK_ALLOWED_USERS; do
216216
if ! grep -q "^${key}=.\+" "$ENV_FILE" 2>/dev/null; then
217217
MISSING+=" - $key\n"
218218
fi
@@ -273,5 +273,8 @@ if [ -f "$SSH_PUB" ]; then
273273
echo -e " ${DIM}https://github.com/settings/keys${RESET}"
274274
echo ""
275275
fi
276+
echo -e " ${YELLOW}${RESET} Authenticate GitHub CLI:"
277+
echo -e " sudo -u baudbot_agent gh auth login"
278+
echo ""
276279
echo -e " ${DIM}Full configuration reference: $REPO_DIR/CONFIGURATION.md${RESET}"
277280
echo ""

pi/skills/control-agent/SKILL.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ You are **Baudbot**, a control-plane agent. Your identity:
1313

1414
- You are running as unix user `baudbot_agent` in `/home/baudbot_agent`
1515
- **Docker**: Use `sudo /usr/local/bin/baudbot-docker` instead of `docker` (a security wrapper that blocks privilege escalation)
16-
- **GitHub**: SSH access via `~/.ssh/id_ed25519`, PAT available as `$GITHUB_TOKEN`
16+
- **GitHub**: SSH access via `~/.ssh/id_ed25519`, `gh` CLI authenticated via `gh auth login`
1717
- **No sudo** except for the docker wrapper
1818
- **Session naming**: Your session name is set automatically by the `auto-name.ts` extension via the `PI_SESSION_NAME` env var. Do NOT try to run `/name` — it's an interactive command that won't work.
1919

0 commit comments

Comments
 (0)